Solved

Anonymous Access - Is it safe?

Posted on 2014-02-05
7
347 Views
Last Modified: 2014-02-11
I'm involved in a debate over the safety of allowing internal anonymous (read only) access to a SharePoint 2010 (Enterprise) WCM site.

They have 2 main SharePoint areas, one WCM and the other Collaboration. SharePoint is only accessible within the company network. Authentication is NTLM against 3 trusted domains. Due to corporate aquisitions there are a few hundred employees currently on non-trusted domains.

It's been proposed that we enable anonymous access on the WCM site so all employees can see company announcements. However there's a big push-back against this for 'security reasons'. Nothing specific, just a feeling that opening access somehow opens the collaboration site and other data to attack.

(I will also mention, Federated Services has been considered as an alternative access method for our extra users, but the hardware and configuration requirements are very tight for our timescales.)

Considering that access is only possible from within the company network, there is intrusion detection software configured on all requests to SharePoint, access is read only etc, am I missing something? Should anonymous access to non-sensitive data (admittedly in the same farm as sensitive data) be of major concern to anyone?
0
Comment
Question by:Jamie McAllister MVP
  • 4
  • 2
7 Comments
 
LVL 17

Expert Comment

by:Walter Curtis
ID: 39836756
Anonymous access is very useful in the situation your describe. The biggest danger is human error. If for example some creates a site collection that inherits the anonymous access and it is not explicit disabled, then data could be exposed. Consider creating an additional web application where anonymous access is enable and have all other data in a web app that has anonymous disabled and you lower the risk of an error. I have done that on several occasions and it has worked well.

Hope that helps
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838192
I would suggest to configure access for Authenticated users instead of Anonymous. if not, there are certain groups like domain users which you can use where all the users from domain are member of that group, you can configure access for this group in each domain as a work around.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838404
Can anyone tell me an absolute show-stopper for Anonymous access within our network?

Or alternatively an absolute assurance that Anonymous is fine in the scenario I described?

At the moment I need to feed into the decision for a go/no go on anonymous access.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39838410
It is fine but your security team may not approve or might be an issue in audits.
0
 
LVL 31

Author Comment

by:Jamie McAllister MVP
ID: 39838531
What specific grounds might they not approve on if it is safe?
0
 
LVL 31

Accepted Solution

by:
Jamie McAllister MVP earned 0 total points
ID: 39838748
Spencer Harbar was kind enough to provide some input to this debate on a private forum. I can't cross post the text in full but a summary of the advice is this;

Such content should always be authenticated. Factors such as the content being on the Internal Network, or having IDS in place do not influence the risk management. Having ACL in place would significantly reduce the risk of outages from malicious intent.

Suggested approach is creating accounts for all users, opening up the WCM site to All Authenticated Users if necessary, but always having ACL in place.

Thanks for your input on the question.
0
 
LVL 31

Author Closing Comment

by:Jamie McAllister MVP
ID: 39849632
Spencer Harbar advised against Anonymous Access.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question